Installing and Configuring Compliance Scanner for PCF

Page last updated:

This topic describes how to install and configure Compliance Scanner for PCF.


Compliance Scanner runs a scanner daemon on each VM that requires ~100 MB of memory. Before you install Compliance Scanner, you might need to resize your VMs accordingly.

Install Compliance Scanner

To install the Compliance Scanner file on the Pivotal Operations Manager Installation Dashboard:

  1. Download the product file from Pivotal Network.

  2. Navigate to the Ops Manager Installation Dashboard and click Import a Product to upload the product file.

  3. Underneath Import a Product, click + next to the version number of Compliance Scanner. This adds the tile to your staging area.

  4. Click the newly added Compliance Scanner tile.

Configure Scans

This section is where you configure expected values for tests and select which set of benchmarks to run. To configure your scans:

  1. Click Settings.

    Compliance Settings page

  2. Click Assign AZs and Networks.

  3. Configure the fields as follows:

    Field Description
    Place singleton jobs in Select the AZ that you want the oscap_store VM to run in.
    The tile runs as a singleton job.
    Balance other jobs in Select the same AZ as above.
    Network Select a subnet for the oscap_store VM.
    This is typically the same subnet that includes the Pivotal Application Services (PAS) component VMs.
  4. Click Save.

  5. Click System Variables.

    System Variables page

  6. Configure the fields in System Variables to provide the expected values for the tests:

    Field Description
    NTP Server IP The IP address of your NTP server.

    You can find this IP address in Bosh Director > Director Config > NTP Server. You can only enter one server IP address. It does not matter which NTP server you enter.
    Syslog Host IP The IP address of your syslog host.

    You can find this in your PAS tile under Settings > System Logging > Address.
    Syslog Port The port number of the syslog port.

    You can find this in your PAS tile under Settings > System Logging > Port.
  7. Click Save.

  8. Click Scan Configuration.

    Scan Configuration page

  9. Enable Scan Report Formats. You must select at least one format. The outputs of a scan can be in LOG, XML, and HTML formats.

  10. Enable Benchmarks for the scanner to run:

    Benchmark Description
    Base Xenial Includes a subset of the amended tests in the STIG benchmark, where failing tests due to architectural differences are removed.
    This is meant to be used as a measure to see if configurations have been altered.
    Recommended Security Baseline A benchmark with rules that all systems should implement, regardless of user environment or the sensitivity of the app data being processed.
    Strict Security Practices A benchmark with strict rules that are required of systems processing sensitive data or workloads. This is meant to run in addition to the tests in the recommended security baseline benchmark.
    STIG for Ubuntu Xenial Includes all the configuration tests of the published DISA STIG for Ubuntu 16.04, amended with stemcell specific changes. Contains tests that would fail due to architectural differences.

    A scan report is generated for each format and benchmark on each Linux VM running on Xenial stemcells. For example, if you select .xml and .log formats, and Base Xenial and STIG benchmarks, four log files are created for each VM tested.

    For more information about Compliance Scanner benchmarks, see Benchmarks.

  11. For Scanner Timeout, configure the maximum time in seconds permitted for a scan. The default value is 600.

  12. For Open File Limit, configure the maximum number of files that the scanner is permitted to open. If the scanner goes over this limit, the scan fails. The recommended value is at least 1024 + twice the number of VMs.

  13. Click Save.

Configure Errands

Compliance Scanner performs one errand that initiates scanning. This errand is disabled by default. This is so that a scan is not run every time changes are applied.

When this errand is triggered, it initiates the scanning errand on each VM. For more information about initiating the scanning errand, see Using Compliance Scanner.

When configuring the Compliance Scanner tile for the first time, follow these steps:

  1. Click Errands.

    Errands page

  2. Confirm that Run configured scans is set to Default (Off).

  3. Click Save.

Configure Syslog Forwarding

To configure syslog forwarding:

  1. Select Syslog. Syslog

  2. Select Yes for Do you want to configure Syslog forwarding?.

  3. Configure the fields as follows:

    Field Instructions
    Address Enter the address or host of the syslog server for sending logs, for example,
    Port Enter the port of the syslog server for sending logs, for example, 29279.
    Transport Protocol Select the transport protocol used to send system logs to the server. Pivotal recommends TCP.
    Enable TLS If you select TCP, you can also select to send logs encrypted over TLS.
    Permitted Peer Enter either the accepted fingerprint, in SHA1, or the name of the remote peer, for example, *
    SSL Certificate Enter the SSL or TLS Certificate(s) for the syslog server. This ensures the logs are transported securely.
    Queue Size Enter an integer. This value specifies the number of log messages held in the buffer. The default value is 100000.
    Forward Debug Logs Select this box to forward debug logs to external source. This option is deselected by default. If you select it, you might generate a large amount of log data.
    Custom rsyslog Configuration Enter configuration details for rsyslog. This field requires RainerScript syntax.

  4. Click Save Syslog Settings.

Configure Resources

The tile creates a new VM called oscap_store to store the logs retrieved from all the other VMs that have been scanned.

Note: The oscap_store VM does not do anything computationally extensive. Pivotal recommends using the default configurations.

  1. Click Resource Config.

  2. Click Save.

Apply Changes from Your Configuration

Your installation is not complete until you apply your configuration changes:

  1. Return to the Ops Manager Installation Dashboard.

  2. Click Review Pending Changes. Verify all products are selected.

  3. Click Apply Changes to complete the installation of Compliance Scanner.